File: //snap/google-cloud-cli/current/lib/surface/container/binauthz/__init__.py
# -*- coding: utf-8 -*- #
# Copyright 2017 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The base surface for Binary Authorization signatures."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
from googlecloudsdk.core import properties
@base.ReleaseTracks(
base.ReleaseTrack.ALPHA, base.ReleaseTrack.BETA, base.ReleaseTrack.GA)
class Binauthz(base.Group):
r"""Manage attestations for Binary Authorization on Google Cloud Platform.
Binary Authorization is a feature which allows binaries to run on Google
Cloud Platform only if they are appropriately attested. Binary
Authorization is configured by creating a policy.
## EXAMPLES
This example assumes that you have created a keypair using gpg, usually
by running `gpg --gen-key ...`, with `Name-Email` set to
`attesting_user@example.com` for your attestor.
First, some convenience variables for brevity:
```sh
ATTESTING_USER="attesting_user@example.com"
DIGEST="000000000000000000000000000000000000000000000000000000000000abcd"
ARTIFACT_URL="gcr.io/example-project/example-image@sha256:${DIGEST}"
ATTESTOR_NAME="projects/example-project/attestors/canary"
```
Export your key's fingerprint (note this may differ based on version and
implementations of gpg):
```sh
gpg \
--with-colons \
--with-fingerprint \
--force-v4-certs \
--list-keys \
"${ATTESTING_USER}" | grep fpr | cut --delimiter=':' --fields 10
```
This should produce a 40 character, hexidecimal encoded string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for more information on
key fingerprints.
Create your attestation payload:
```sh
{command} create-signature-payload \
--artifact-url="${ARTIFACT_URL}" \
> example_payload.txt
```
Create a signature from your attestation payload:
```sh
gpg \
--local-user "${ATTESTING_USER}" \
--armor \
--clearsign \
--output example_signature.pgp \
example_payload.txt
```
Upload the attestation:
```sh
{command} attestations create \
--public-key-id=${KEY_FINGERPRINT} \
--signature-file=example_signature.pgp \
--artifact-url="${ARTIFACT_URL}" \
--attestor=${ATTESTOR_NAME}
```
List the attestation by artifact URL. `--format` can be passed to
output the attestations as json or another supported format:
```sh
{command} attestations list \
--artifact-url="${ARTIFACT_URL}" \
--format=yaml
---
- |
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
... SNIP ...
-----END PGP PUBLIC KEY BLOCK-----
- |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
... SNIP ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
... SNIP ...
-----END PGP SIGNATURE-----
```
List all artifact URLs on the project for which Container Analysis
Occurrences exist. This list includes the list of all URLs with BinAuthz
attestations:
```sh
{command} attestations list
---
https://gcr.io/example-project/example-image@sha256:000000000000000000000000000000000000000000000000000000000000abcd
...
```
Listing also works for kind=ATTESTATION_AUTHORITY attestations, just pass
the attestor:
```sh
{command} attestations list \
--artifact-url="${ARTIFACT_URL}" \
--attestor=${ATTESTOR_NAME} \
--format=yaml
...
```
"""
category = base.COMPUTE_CATEGORY
def Filter(self, context, args):
"""See base class."""
base.RequireProjectID(args)
# Explicitly override container group's LEGACY billing configuration.
properties.VALUES.billing.quota_project.Set(
properties.VALUES.billing.CURRENT_PROJECT)
return context